Digital Forensics Incident
Maximising the ability to gather relevant digital evidence while minimising cost and
disruption to normal operations.
Presented by Colm Gallagher MSc FCCI, CFCE, Forensics Director, CommSec
Current Forensic Director at CommSec Communications and
Security (2020 - present)
Former Detective at Garda National Cyber Crime Bureau
Former Systems Administrator at Garda IT Division (1997-
Former Irish Representative on Europol CGNAT Expert Group
Rubbish at making PowerPoints look good (1987-Present)
• Criminal investigations
• Civil litigation
• Incident response
• HR investigations
• Data Breaches
• Insider threats
tools – a sprawling
• Digital Forensics suites
• Specific-use tools (e.g. Shellbag examination tools)
• Mobile Forensic tools
• Blockchain analysis tools
• Incident response triage tools
• Remote acquisition tools
• Log analysis tools
• Search and visualisation tools
• Case Management tools
• OSINT tools
• Dual use tools – living off the land
An ever-growing array of tools designed to process an ever-growing
variety of information sources.
Forensics issues –
• Larger datasets consume finite processing power
• Storage requirements
• Staff retention is an issue
• Under investment/Budgetary constraints
• Longer procurement processes
• Requirement to find best evidence
• Privacy legislation and regulations may hamper evidence
• Lack of access to evidence
• Global evidence sources in various jurisdictions
• However, capability and methodologies largely already in
place – and incidents investigated are usually external (and
known of in advance)
Forensics issues –
• Large datasets
• Cloud usage is widespread
• Varying levels of control over evidence
• Lack of evidence sources?
• Qualified personnel not always in-house
• eDiscovery needs
• Dual use devices (BYOD)
• Legal issues
• Incidents may arise suddenly
Forensics time sinks
• Identification of evidence sources
• Gaining access to evidence sources
• Obtaining a supply of storage
• Setting up and verifying required tools
• Allocation of roles
• Copying data/Forensic imaging
• Processing of gathered evidence
• Analysis of relevant evidence
To ensure consistent and effective
management of evidence related to
information security incidents for the
purposes of disciplinary and legal actions,
the organization should establish and
implement procedures for the
identification, collection, acquisition and
preservation of evidence related to
information security events.
The achievement of an appropriate level of
capability by an organization in order for it
to be able to collect, preserve, protect and
analyse digital evidence so that this
evidence can be effectively used in any
legal matters, in disciplinary matters, in an
employment tribunal or court of law.
UK Ministry of Justice
It is necessary, as part of incident
management, to have the ability to collect
and analyse data held on a variety of
electronic devices or storage media that
may be used as evidence in some future
UK MoJ have published policies requiring
forensic readiness and planning.
• Where’s our evidential data?
• Who has access to it?
• Are we discarding useful evidence sources?
• Where might the evidence be for given scenarios?
• What are our retention periods?
• How should we get at potential evidence?
• Who’s going to do it?
• Where will we put it?
Tasks you may not
want to leave until
your busiest time
• Identify evidence
• Prioritise evidence sources and their retention
• Allocate roles
• Gain access
• Establish roles and communication channels
• Identify and contact 3rd Party support
• Identify, obtain and verify required tools and
• Create document templates such as receipts,
chain of custody records, incident logs
• Create case file environment
• Obtain secure storage
• And so on…
Planning – some
• Information asset register
• Location of information
• Ownership of assets
• Retention times for information
• Importance of each asset to the organisation
• Are logs retained in relation to the asset?
• Incident response plan
• Include potential forensic actions
• How should we get at evidence
• Roles and responsibilities
• Establish communication channels
• Where will we store evidence?
• How long will should it typically take to extract evidence?
• What tools do we have available to us?
• What labelling conventions will we use?
• Document preparation
• Chain of custody templates
• Procedural documents
• Communication templates
• Prepared incident logs
• Report templates
• Incident Response exercising
• Gain familiarity with roles and processes
• Establish probable timescales
• Test communications
• Identify gaps
• Test efficacy of chosen tools
Examination Analysis Reporting
• Quicker and more efficient response
• Quickly identify attack vectors
• Less likelihood of inadvertently damaging
evidence during early part of response
• Lower cost – maintaining evidence sources can
cost significantly less than trying to make up for
• Lower cost – IR costs can be enormous and
completing as much as possible removes that
cost during events
• Less disruption to normal business during
• Detect threats earlier
• Deter insider threats
• Demonstrate high standards for compliance